Analysis Report guy2.exe

Overview

General Information

Sample Name:	guy2.exe
Analysis ID:	323572
MD5:	a0e65c4d3bc5fb564f82fe66ab228044
SHA1:	ff10833c4ba57938f94c41b75d824ac9e8fe36b4
SHA256:	d8e273754006eb7118be058c46efef0a1b20ae4929dad75ecfed1ae1aae0c0eb
Tags:	AgentTeslaPEP
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

May check the online IP address of the machine

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe

ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Source: guy2.exe	Virustotal: Detection: 58%			Perma Link
Source: guy2.exe	ReversingLabs: Detection: 43%

Antivirus or Machine Learning detection for unpacked file

Source: 18.2.xQxAsve.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.guy2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.xQxAsve.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\guy2.exe	Code function: 4x nop then jmp 09C19028h		0_2_09C18284
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 4x nop then jmp 08A39028h		14_2_08A38284

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 54.243.161.145 54.243.161.145
Source: Joe Sandbox View	IP Address: 54.243.161.145 54.243.161.145

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS traffic detected: queries for: activeheat.co.vu

Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: guy2.exe, 00000001.00000002.485266825.000000000361B000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://activeheat.co.vu
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: guy2.exe, 00000001.00000003.450271040.00000000012F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.488287794.0000000006DF4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: guy2.exe, 00000001.00000003.450271040.00000000012F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthofM
Source: guy2.exe, 00000001.00000002.490167943.0000000006DAC000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp, guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.301983864.0000000002551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.323785393.0000000002551000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://wzhNVX.com
Source: guy2.exe, 00000001.00000002.484527766.00000000035B9000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net
Source: guy2.exe, 00000001.00000002.484527766.00000000035B9000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net(
Source: guy2.exe, 00000001.00000003.443028222.00000000013A4000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net853321935-2125563209-4053062332-1002_Classes
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu/dek/inc/f08405615b33f6.php
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu/dek/inc/f08405615b33f6.php127.0.0.1POST
Source: guy2.exe, 00000001.00000002.484972239.00000000035F9000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu4
Source: guy2.exe, 00000001.00000002.485479189.0000000003633000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vuD8
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org4
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: guy2.exe, 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: guy2.exe, 00000001.00000002.490167943.0000000006DAC000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: guy2.exe, 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\guy2.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\guy2.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: xQxAsve.exe, 0000000E.00000002.301037246.00000000007C8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\guy2.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FC124	0_2_031FC124
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FE570	0_2_031FE570
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FE563	0_2_031FE563
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C15B58	0_2_09C15B58
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C18284	0_2_09C18284
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C17571	0_2_09C17571
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C17A74	0_2_09C17A74
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C130D6	0_2_09C130D6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C175C8	0_2_09C175C8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C156D8	0_2_09C156D8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135A120	1_2_0135A120
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135C128	1_2_0135C128
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01357018	1_2_01357018
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135C868	1_2_0135C868
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01355888	1_2_01355888
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01351E58	1_2_01351E58
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01359568	1_2_01359568
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01350040	1_2_01350040
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013544D8	1_2_013544D8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135E270	1_2_0135E270
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135AEE0	1_2_0135AEE0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01360520	1_2_01360520
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01361FA0	1_2_01361FA0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013649E7	1_2_013649E7
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01362BE8	1_2_01362BE8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01367430	1_2_01367430
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01369828	1_2_01369828
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136ACB0	1_2_0136ACB0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01360CA0	1_2_01360CA0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136F6FA	1_2_0136F6FA
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013678C0	1_2_013678C0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136F708	1_2_0136F708
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013678A5	1_2_013678A5
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_018939A4	1_2_018939A4
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0189BAE0	1_2_0189BAE0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0189B054	1_2_0189B054
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164860	1_2_03164860
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03165530	1_2_03165530
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03163D8C	1_2_03163D8C
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164770	1_2_03164770
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_031647D3	1_2_031647D3
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164853	1_2_03164853
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03165550	1_2_03165550
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0316DBC1	1_2_0316DBC1
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03163D80	1_2_03163D80
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BC124	14_2_007BC124
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BE570	14_2_007BE570
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BE561	14_2_007BE561
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A38284	14_2_08A38284
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A35B58	14_2_08A35B58
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A37571	14_2_08A37571
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A330D6	14_2_08A330D6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A37A74	14_2_08A37A74
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A35B49	14_2_08A35B49
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A375BF	14_2_08A375BF
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A356C9	14_2_08A356C9
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A356D8	14_2_08A356D8

Sample file is different than original file name gathered from version info

Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs guy2.exe
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs guy2.exe
Source: guy2.exe, 00000000.00000000.201740870.0000000000F40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe
Source: guy2.exe, 00000000.00000002.219374075.0000000003351000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSKPDPYhBZPpwWDqeaPRKRIbBjj.exe4 vs guy2.exe
Source: guy2.exe, 00000001.00000002.475807185.0000000001330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs guy2.exe
Source: guy2.exe, 00000001.00000002.479329361.0000000001740000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs guy2.exe
Source: guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSKPDPYhBZPpwWDqeaPRKRIbBjj.exe4 vs guy2.exe
Source: guy2.exe, 00000001.00000002.474642665.0000000000FA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs guy2.exe
Source: guy2.exe, 00000001.00000000.217669428.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe
Source: guy2.exe, 00000001.00000002.479267716.0000000001730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs guy2.exe
Source: guy2.exe	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe

Source: guy2.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xQxAsve.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/5@7/3

Source: C:\Users\user\Desktop\guy2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\guy2.exe.log

Jump to behavior

Source: guy2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\guy2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: guy2.exe	Virustotal: Detection: 58%
Source: guy2.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\guy2.exe

File read: C:\Users\user\Desktop\guy2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\guy2.exe 'C:\Users\user\Desktop\guy2.exe'
Source: unknown	Process created: C:\Users\user\Desktop\guy2.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe 'C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe 'C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: C:\Users\user\Desktop\guy2.exe	Process created: C:\Users\user\Desktop\guy2.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\guy2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: guy2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: guy2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: guy2.exe, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.guy2.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.guy2.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: xQxAsve.exe.1.dr, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.guy2.exe.d90000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.guy2.exe.d90000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.xQxAsve.exe.c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.xQxAsve.exe.c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.xQxAsve.exe.1f0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.xQxAsve.exe.1f0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.xQxAsve.exe.2c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.xQxAsve.exe.2c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.xQxAsve.exe.130000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.xQxAsve.exe.130000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.xQxAsve.exe.ce0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.xQxAsve.exe.ce0000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.xQxAsve.exe.10000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.xQxAsve.exe.10000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.xQxAsve.exe.320000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.xQxAsve.exe.320000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.xQxAsve.exe.c80000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.xQxAsve.exe.c80000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC81C9 push 00000000h; iretd	0_2_00EC82A0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC8CC6 push ss; iretd	0_2_00EC8CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC8CDF push ss; iretd	0_2_00EC8CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FF933 push eax; iretd	0_2_031FF939
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1C13D push FFFFFF8Bh; iretd	0_2_09C1C13F
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1C027 push dword ptr [ebx+ebp-75h]; iretd	0_2_09C1C04D
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1174D pushad ; iretd	0_2_09C11751
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1073D push ecx; ret	0_2_09C1073E
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D98CDF push ss; iretd	1_2_00D98CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D981C9 push 00000000h; iretd	1_2_00D982A0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D98CC6 push ss; iretd	1_2_00D98CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136DC30 push esp; iretd	1_2_0136DC31
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_018960A0 pushad ; ret	1_2_018960A1
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C81C9 push 00000000h; iretd	14_2_000C82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C8CC6 push ss; iretd	14_2_000C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C8CDF push ss; iretd	14_2_000C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BF932 push eax; iretd	14_2_007BF939
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3C13D push FFFFFF8Bh; iretd	14_2_08A3C13F
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3073D push ecx; ret	14_2_08A3073E
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3174D pushad ; iretd	14_2_08A31751
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F8CDF push ss; iretd	15_2_001F8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F81C9 push 00000000h; iretd	15_2_001F82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F8CC6 push ss; iretd	15_2_001F8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C81C9 push 00000000h; iretd	16_2_002C82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C8CC6 push ss; iretd	16_2_002C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C8CDF push ss; iretd	16_2_002C8CE6

Source: initial sample	Static PE information: section name: .text entropy: 7.73806831255
Source: initial sample	Static PE information: section name: .text entropy: 7.73806831255

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\guy2.exe

File created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe

Jump to dropped file

Source: C:\Users\user\Desktop\guy2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xQxAsve			Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xQxAsve			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\guy2.exe

File opened: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe:Zone.Identifier read attributes | delete

Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\guy2.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG946.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\guy2.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.302094753.0000000002593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.323785393.0000000002551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303263725.00000000028F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303263725.00000000028F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 1957	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 1590	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 8268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 427	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 4292	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 1750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 8101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 1478	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 2916
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 6927

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\guy2.exe TID: 3512	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5348	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 1276	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5260	Thread sleep count: 1590 > 30	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5260	Thread sleep count: 8268 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6748	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6632	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1328	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1320	Thread sleep count: 1750 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1320	Thread sleep count: 8101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6900	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6868	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1784	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6544	Thread sleep count: 2916 > 30
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6544	Thread sleep count: 6927 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\guy2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\guy2.exe

Code function: 1_2_01357018 LdrInitializeThunk,

1_2_01357018

Enables debug privileges

Source: C:\Users\user\Desktop\guy2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\guy2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\guy2.exe	Memory written: C:\Users\user\Desktop\guy2.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Memory written: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Memory written: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\guy2.exe	Process created: C:\Users\user\Desktop\guy2.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior

Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Users\user\Desktop\guy2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Users\user\Desktop\guy2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\guy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 18.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.guy2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 18.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.guy2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.243.161.145	unknown	United States		14618	AMAZON-AESUS	false
80.85.159.36	unknown	Russian Federation		44493	CHELYABINSK-SIGNAL-ASRU	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
activeheat.co.vu	80.85.159.36	true
elb097307-934924932.us-east-1.elb.amazonaws.com	54.243.161.145	true
api.ipify.org	unknown	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe

ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Source: guy2.exe	Virustotal: Detection: 58%			Perma Link
Source: guy2.exe	ReversingLabs: Detection: 43%

Antivirus or Machine Learning detection for unpacked file

Source: 18.2.xQxAsve.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.guy2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.xQxAsve.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\guy2.exe	Code function: 4x nop then jmp 09C19028h		0_2_09C18284
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 4x nop then jmp 08A39028h		14_2_08A38284

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 54.243.161.145 54.243.161.145
Source: Joe Sandbox View	IP Address: 54.243.161.145 54.243.161.145

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS traffic detected: queries for: activeheat.co.vu

Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: guy2.exe, 00000001.00000002.485266825.000000000361B000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://activeheat.co.vu
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: guy2.exe, 00000001.00000003.450271040.00000000012F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.488287794.0000000006DF4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: guy2.exe, 00000001.00000003.450271040.00000000012F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479155669.0000000003205000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthofM
Source: guy2.exe, 00000001.00000002.490167943.0000000006DAC000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp, guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.301983864.0000000002551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.323785393.0000000002551000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: guy2.exe, 00000000.00000002.224276106.00000000063D0000.00000002.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.305542757.00000000054C0000.00000002.00000001.sdmp, xQxAsve.exe, 00000013.00000002.331803714.00000000054E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: http://wzhNVX.com
Source: guy2.exe, 00000001.00000002.484527766.00000000035B9000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net
Source: guy2.exe, 00000001.00000002.484527766.00000000035B9000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net(
Source: guy2.exe, 00000001.00000003.443028222.00000000013A4000.00000004.00000001.sdmp	String found in binary or memory: https://VHlE1Bk1DRzqSW.net853321935-2125563209-4053062332-1002_Classes
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu/dek/inc/f08405615b33f6.php
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu/dek/inc/f08405615b33f6.php127.0.0.1POST
Source: guy2.exe, 00000001.00000002.484972239.00000000035F9000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.479040941.00000000031E8000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480129247.00000000030B8000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vu4
Source: guy2.exe, 00000001.00000002.485479189.0000000003633000.00000004.00000001.sdmp	String found in binary or memory: https://activeheat.co.vuD8
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: guy2.exe, 00000001.00000002.480961942.0000000003308000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org4
Source: xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: guy2.exe, 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: guy2.exe, 00000001.00000002.490167943.0000000006DAC000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.487451855.00000000070B0000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.480320849.00000000030D5000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: guy2.exe, 00000001.00000003.445751971.0000000001301000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: guy2.exe, 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: guy2.exe, 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, xQxAsve.exe, 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, xQxAsve.exe, 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\guy2.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\guy2.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: xQxAsve.exe, 0000000E.00000002.301037246.00000000007C8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\guy2.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FC124	0_2_031FC124
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FE570	0_2_031FE570
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FE563	0_2_031FE563
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C15B58	0_2_09C15B58
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C18284	0_2_09C18284
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C17571	0_2_09C17571
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C17A74	0_2_09C17A74
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C130D6	0_2_09C130D6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C175C8	0_2_09C175C8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C156D8	0_2_09C156D8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135A120	1_2_0135A120
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135C128	1_2_0135C128
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01357018	1_2_01357018
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135C868	1_2_0135C868
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01355888	1_2_01355888
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01351E58	1_2_01351E58
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01359568	1_2_01359568
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01350040	1_2_01350040
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013544D8	1_2_013544D8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135E270	1_2_0135E270
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0135AEE0	1_2_0135AEE0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01360520	1_2_01360520
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01361FA0	1_2_01361FA0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013649E7	1_2_013649E7
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01362BE8	1_2_01362BE8
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01367430	1_2_01367430
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01369828	1_2_01369828
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136ACB0	1_2_0136ACB0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_01360CA0	1_2_01360CA0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136F6FA	1_2_0136F6FA
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013678C0	1_2_013678C0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136F708	1_2_0136F708
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_013678A5	1_2_013678A5
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_018939A4	1_2_018939A4
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0189BAE0	1_2_0189BAE0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0189B054	1_2_0189B054
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164860	1_2_03164860
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03165530	1_2_03165530
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03163D8C	1_2_03163D8C
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164770	1_2_03164770
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_031647D3	1_2_031647D3
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03164853	1_2_03164853
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03165550	1_2_03165550
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0316DBC1	1_2_0316DBC1
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_03163D80	1_2_03163D80
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BC124	14_2_007BC124
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BE570	14_2_007BE570
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BE561	14_2_007BE561
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A38284	14_2_08A38284
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A35B58	14_2_08A35B58
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A37571	14_2_08A37571
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A330D6	14_2_08A330D6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A37A74	14_2_08A37A74
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A35B49	14_2_08A35B49
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A375BF	14_2_08A375BF
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A356C9	14_2_08A356C9
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A356D8	14_2_08A356D8

Sample file is different than original file name gathered from version info

Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs guy2.exe
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs guy2.exe
Source: guy2.exe, 00000000.00000000.201740870.0000000000F40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe
Source: guy2.exe, 00000000.00000002.219374075.0000000003351000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSKPDPYhBZPpwWDqeaPRKRIbBjj.exe4 vs guy2.exe
Source: guy2.exe, 00000001.00000002.475807185.0000000001330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs guy2.exe
Source: guy2.exe, 00000001.00000002.479329361.0000000001740000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs guy2.exe
Source: guy2.exe, 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSKPDPYhBZPpwWDqeaPRKRIbBjj.exe4 vs guy2.exe
Source: guy2.exe, 00000001.00000002.474642665.0000000000FA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs guy2.exe
Source: guy2.exe, 00000001.00000000.217669428.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe
Source: guy2.exe, 00000001.00000002.479267716.0000000001730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs guy2.exe
Source: guy2.exe	Binary or memory string: OriginalFilenameOS.exe2 vs guy2.exe

Source: guy2.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xQxAsve.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/5@7/3

Source: C:\Users\user\Desktop\guy2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\guy2.exe.log

Jump to behavior

Source: guy2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\guy2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: guy2.exe	Virustotal: Detection: 58%
Source: guy2.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\guy2.exe

File read: C:\Users\user\Desktop\guy2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\guy2.exe 'C:\Users\user\Desktop\guy2.exe'
Source: unknown	Process created: C:\Users\user\Desktop\guy2.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe 'C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe 'C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}
Source: C:\Users\user\Desktop\guy2.exe	Process created: C:\Users\user\Desktop\guy2.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\guy2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: guy2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: guy2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: guy2.exe, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.guy2.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.guy2.exe.ec0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: xQxAsve.exe.1.dr, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.guy2.exe.d90000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.guy2.exe.d90000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.xQxAsve.exe.c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.xQxAsve.exe.c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.xQxAsve.exe.1f0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.xQxAsve.exe.1f0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.xQxAsve.exe.2c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.xQxAsve.exe.2c0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.xQxAsve.exe.130000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.xQxAsve.exe.130000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.xQxAsve.exe.ce0000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.xQxAsve.exe.ce0000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.xQxAsve.exe.10000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.xQxAsve.exe.10000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.xQxAsve.exe.320000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.xQxAsve.exe.320000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.xQxAsve.exe.c80000.0.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.xQxAsve.exe.c80000.1.unpack, SimpleTextEditor/LoginForm.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC81C9 push 00000000h; iretd	0_2_00EC82A0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC8CC6 push ss; iretd	0_2_00EC8CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_00EC8CDF push ss; iretd	0_2_00EC8CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_031FF933 push eax; iretd	0_2_031FF939
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1C13D push FFFFFF8Bh; iretd	0_2_09C1C13F
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1C027 push dword ptr [ebx+ebp-75h]; iretd	0_2_09C1C04D
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1174D pushad ; iretd	0_2_09C11751
Source: C:\Users\user\Desktop\guy2.exe	Code function: 0_2_09C1073D push ecx; ret	0_2_09C1073E
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D98CDF push ss; iretd	1_2_00D98CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D981C9 push 00000000h; iretd	1_2_00D982A0
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_00D98CC6 push ss; iretd	1_2_00D98CE6
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_0136DC30 push esp; iretd	1_2_0136DC31
Source: C:\Users\user\Desktop\guy2.exe	Code function: 1_2_018960A0 pushad ; ret	1_2_018960A1
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C81C9 push 00000000h; iretd	14_2_000C82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C8CC6 push ss; iretd	14_2_000C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_000C8CDF push ss; iretd	14_2_000C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_007BF932 push eax; iretd	14_2_007BF939
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3C13D push FFFFFF8Bh; iretd	14_2_08A3C13F
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3073D push ecx; ret	14_2_08A3073E
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 14_2_08A3174D pushad ; iretd	14_2_08A31751
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F8CDF push ss; iretd	15_2_001F8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F81C9 push 00000000h; iretd	15_2_001F82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 15_2_001F8CC6 push ss; iretd	15_2_001F8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C81C9 push 00000000h; iretd	16_2_002C82A0
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C8CC6 push ss; iretd	16_2_002C8CE6
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Code function: 16_2_002C8CDF push ss; iretd	16_2_002C8CE6

Source: initial sample	Static PE information: section name: .text entropy: 7.73806831255
Source: initial sample	Static PE information: section name: .text entropy: 7.73806831255

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\guy2.exe

File created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe

Jump to dropped file

Source: C:\Users\user\Desktop\guy2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xQxAsve			Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xQxAsve			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\guy2.exe

File opened: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe:Zone.Identifier read attributes | delete

Jump to behavior

Moves itself to temp directory

Source: c:\users\user\desktop\guy2.exe

File moved: C:\Users\user\AppData\Local\Temp\tmpG946.tmp

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\guy2.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.302094753.0000000002593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.323785393.0000000002551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303263725.00000000028F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: guy2.exe, 00000000.00000002.219413063.000000000338F000.00000004.00000001.sdmp, xQxAsve.exe, 0000000E.00000002.303263725.00000000028F1000.00000004.00000001.sdmp, xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 1957	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 1590	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Window / User API: threadDelayed 8268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 427	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 4292	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 1750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 8101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 1478	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 2916
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Window / User API: threadDelayed 6927

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\guy2.exe TID: 3512	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5348	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 1276	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5260	Thread sleep count: 1590 > 30	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe TID: 5260	Thread sleep count: 8268 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6748	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6632	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1328	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1320	Thread sleep count: 1750 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1320	Thread sleep count: 8101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6900	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6868	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 1784	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6544	Thread sleep count: 2916 > 30
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe TID: 6544	Thread sleep count: 6927 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\guy2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: guy2.exe, 00000001.00000002.490071746.0000000006D50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: xQxAsve.exe, 00000013.00000002.326074194.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\guy2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\guy2.exe

Code function: 1_2_01357018 LdrInitializeThunk,

1_2_01357018

Enables debug privileges

Source: C:\Users\user\Desktop\guy2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\guy2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\guy2.exe	Memory written: C:\Users\user\Desktop\guy2.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Memory written: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Memory written: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\guy2.exe	Process created: C:\Users\user\Desktop\guy2.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Process created: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe {path}	Jump to behavior

Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: guy2.exe, 00000001.00000002.479905017.0000000001CB0000.00000002.00000001.sdmp, xQxAsve.exe, 00000012.00000002.477983352.0000000001B90000.00000002.00000001.sdmp, xQxAsve.exe, 00000016.00000002.478963860.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Users\user\Desktop\guy2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Users\user\Desktop\guy2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\guy2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 18.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.guy2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\guy2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\guy2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.480411054.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.468356599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.478360103.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.303356146.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.326235962.0000000003511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.468399314.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.479682422.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.220656712.0000000004351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.468183567.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6864, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6796, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 5980, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 7020, type: MEMORY
Source: Yara match	File source: Process Memory Space: guy2.exe PID: 3544, type: MEMORY
Source: Yara match	File source: Process Memory Space: xQxAsve.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 18.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.guy2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.xQxAsve.exe.400000.0.unpack, type: UNPACKEDPE

ID:	323572
Product:	CloudBasic
Start time:	06:34:22
Start date:	27.11.2020
Sample:	guy2.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a0e65c4d3bc5fb564f82fe66ab228044
SHA1:	ff10833c4ba57938f94c41b75d824ac9e8fe36b4
SHA256:	d8e273754006eb7118be058c46efef0a1b20ae4929dad75ecfed1ae1aae0c0eb
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\guy2.exe.log	ASCII text, with CRLF line terminators	6C42AAF2F2FABAD2BAB70543AE48CEDB	8552031F83C078FE1C035191A32BA43261A63DA9	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xQxAsve.exe.log	ASCII text, with CRLF line terminators	6C42AAF2F2FABAD2BAB70543AE48CEDB	8552031F83C078FE1C035191A32BA43261A63DA9	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
C:\Users\user\AppData\Roaming\th3yaotv.tsz\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	00681D89EDDB6AD25E6F4BD2E66C61C6	14B2FBFB460816155190377BBC66AB5D2A15F7AB	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A0E65C4D3BC5FB564F82FE66AB228044	FF10833C4BA57938F94C41B75D824AC9E8FE36B4	D8E273754006EB7118BE058C46EFEF0A1B20AE4929DAD75ECFED1AE1AAE0C0EB
C:\Users\user\AppData\Roaming\xQxAsve\xQxAsve.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report guy2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains